Series comparison

-[PULL 0/3] tcg patch queue
+[PULL v2 00/34] tcg patch queue
-The following changes since commit 00483d386901173e84c7965f9f0d678791a75e01:
+V2 fixes an error in patch 22 wrt MacOS.
 It's a shame we don't have public CI for that.
-  Merge remote-tracking branch 'remotes/shorne/tags/or1k-pull-request' into staging (2022-02-28 11:27:16 +0000)
 r~
 The following changes since commit 894fc4fd670aaf04a67dc7507739f914ff4bacf2:
   Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging (2021-06-11 09:21:48 +0100)
 are available in the Git repository at:
-  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220228
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20210613
-for you to fetch changes up to 2ccf40f00e3f29d85d4ff48a9a98870059002290:
+for you to fetch changes up to a5a8b84772e13066c6c45f480cc5b5312bbde08e:
-  tcg/tci: Use tcg_out_ldst in tcg_out_st (2022-02-28 08:04:10 -1000)
+  docs/devel: Explain in more detail the TB chaining mechanisms (2021-06-13 17:42:40 -0700)
 ----------------------------------------------------------------
-Fix typecode generation for tcg helpers
+Clean up code_gen_buffer allocation.
-Fix single stepping into interrupt handlers
+Add tcg_remove_ops_after.
-Fix out-of-range offsets for stores in TCI
+Fix tcg_constant_* documentation.
 Improve TB chaining documentation.
 Fix float32_exp2.
 Fix arm tcg_out_op function signature.
 ----------------------------------------------------------------
-Luc Michel (1):
+Jose R. Ziviani (1):
-      accel/tcg/cpu-exec: Fix precise single-stepping after interrupt
+      tcg/arm: Fix tcg_out_op function signature
-Richard Henderson (2):
+Luis Pires (1):
-      tcg: Remove dh_alias indirection for dh_typecode
+      docs/devel: Explain in more detail the TB chaining mechanisms
       tcg/tci: Use tcg_out_ldst in tcg_out_st
- include/exec/helper-head.h   | 19 ++++++++++---------
+Richard Henderson (32):
- target/hppa/helper.h         |  2 ++
+      meson: Split out tcg/meson.build
- target/i386/ops_sse_header.h |  3 +++
+      meson: Split out fpu/meson.build
- target/m68k/helper.h         |  1 +
+      tcg: Re-order tcg_region_init vs tcg_prologue_init
- target/ppc/helper.h          |  3 +++
+      tcg: Remove error return from tcg_region_initial_alloc__locked
- accel/tcg/cpu-exec.c         |  8 ++++++--
+      tcg: Split out tcg_region_initial_alloc
- tcg/tci/tcg-target.c.inc     |  5 ++---
+      tcg: Split out tcg_region_prologue_set
-files changed, 27 insertions(+), 14 deletions(-)
+      tcg: Split out region.c
       accel/tcg: Inline cpu_gen_init
       accel/tcg: Move alloc_code_gen_buffer to tcg/region.c
       accel/tcg: Rename tcg_init to tcg_init_machine
       tcg: Create tcg_init
       accel/tcg: Merge tcg_exec_init into tcg_init_machine
       accel/tcg: Use MiB in tcg_init_machine
       accel/tcg: Pass down max_cpus to tcg_init
       tcg: Introduce tcg_max_ctxs
       tcg: Move MAX_CODE_GEN_BUFFER_SIZE to tcg-target.h
       tcg: Replace region.end with region.total_size
       tcg: Rename region.start to region.after_prologue
       tcg: Tidy tcg_n_regions
       tcg: Tidy split_cross_256mb
       tcg: Move in_code_gen_buffer and tests to region.c
       tcg: Allocate code_gen_buffer into struct tcg_region_state
       tcg: Return the map protection from alloc_code_gen_buffer
       tcg: Sink qemu_madvise call to common code
       util/osdep: Add qemu_mprotect_rw
       tcg: Round the tb_size default from qemu_get_host_physmem
       tcg: Merge buffer protection and guard page protection
       tcg: When allocating for !splitwx, begin with PROT_NONE
       tcg: Move tcg_init_ctx and tcg_ctx from accel/tcg/
       tcg: Introduce tcg_remove_ops_after
       tcg: Fix documentation for tcg_constant_* vs tcg_temp_free_*
       softfloat: Fix tp init in float32_exp2
  docs/devel/tcg.rst        | 101 ++++-
  meson.build               |  12 +-
  accel/tcg/internal.h      |   2 +
  include/qemu/osdep.h      |   1 +
  include/sysemu/tcg.h      |   2 -
  include/tcg/tcg.h         |  28 +-
  tcg/aarch64/tcg-target.h  |   1 +
  tcg/arm/tcg-target.h      |   1 +
  tcg/i386/tcg-target.h     |   2 +
  tcg/mips/tcg-target.h     |   6 +
  tcg/ppc/tcg-target.h      |   2 +
  tcg/riscv/tcg-target.h    |   1 +
  tcg/s390/tcg-target.h     |   3 +
  tcg/sparc/tcg-target.h    |   1 +
  tcg/tcg-internal.h        |  40 ++
  tcg/tci/tcg-target.h      |   1 +
  accel/tcg/tcg-all.c       |  32 +-
  accel/tcg/translate-all.c | 439 +-------------------
  bsd-user/main.c           |   3 +-
  fpu/softfloat.c           |   2 +-
  linux-user/main.c         |   1 -
  tcg/region.c              | 999 ++++++++++++++++++++++++++++++++++++++++++++++
  tcg/tcg.c                 | 649 +++---------------------------
  util/osdep.c              |   9 +
  tcg/arm/tcg-target.c.inc  |   3 +-
  fpu/meson.build           |   1 +
  tcg/meson.build           |  14 +
 files changed, 1266 insertions(+), 1090 deletions(-)
  create mode 100644 tcg/tcg-internal.h
  create mode 100644 tcg/region.c
  create mode 100644 fpu/meson.build
  create mode 100644 tcg/meson.build

-[PULL 1/3] tcg: Remove dh_alias indirection for dh_typecode
+[PULL v2 22/34] tcg: Allocate code_gen_buffer into struct tcg_region_state
-The dh_alias redirect is intended to handle TCG types as distinguished
+Do not mess around with setting values within tcg_init_ctx.
-from C types.  TCG does not distinguish signed int from unsigned int,
+Put the values into 'region' directly, which is where they
-because they are the same size.  However, we need to retain this
+will live for the lifetime of the program.
 distinction for dh_typecode, lest we fail to extend abi types properly
 for the host call parameters.
-This bug was detected when running the 'arm' emulator on an s390
-system. The s390 uses TCG_TARGET_EXTEND_ARGS which triggers code
-in tcg_gen_callN to extend 32 bit values to 64 bits; the incorrect
-sign data in the typemask for each argument caused the values to be
-extended as unsigned values.
-This simple program exhibits the problem:
-    static volatile int num = -9;
-    static volatile int den = -5;
-    int main(void)
-    {
-        int quo = num / den;
-        printf("num %d den %d quo %d\n", num, den, quo);
-        exit(0);
-    }
-When run on the broken qemu, this results in:
-    num -9 den -5 quo 0
-The correct result is:
-    num -9 den -5 quo 1
-Fixes: 7319d83a735 ("tcg: Combine dh_is_64bit and dh_is_signed to dh_typecode")
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/876
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reported-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
 Tested-by: Keith Packard <keithp@keithp.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/helper-head.h   | 19 ++++++++++---------
+ tcg/region.c | 64 ++++++++++++++++++++++------------------------------
- target/hppa/helper.h         |  2 ++
+file changed, 27 insertions(+), 37 deletions(-)
  target/i386/ops_sse_header.h |  3 +++
  target/m68k/helper.h         |  1 +
  target/ppc/helper.h          |  3 +++
 files changed, 19 insertions(+), 9 deletions(-)
-diff --git a/include/exec/helper-head.h b/include/exec/helper-head.h
+diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/helper-head.h
+--- a/tcg/region.c
-+++ b/include/exec/helper-head.h
++++ b/tcg/region.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static size_t tree_size;
- # ifdef TARGET_LONG_BITS
- #  if TARGET_LONG_BITS == 32
+ bool in_code_gen_buffer(const void *p)
- #   define dh_alias_tl i32
+ {
-+#   define dh_typecode_tl dh_typecode_i32
+-    const TCGContext *s = &tcg_init_ctx;
- #  else
+     /*
- #   define dh_alias_tl i64
+      * Much like it is valid to have a pointer to the byte past the
-+#   define dh_typecode_tl dh_typecode_i64
+      * end of an array (so long as you don't dereference it), allow
- #  endif
+      * a pointer to the byte past the end of the code gen buffer.
- # endif
+      */
--# define dh_alias_env ptr
+-    return (size_t)(p - s->code_gen_buffer) <= s->code_gen_buffer_size;
- # define dh_ctype_tl target_ulong
++    return (size_t)(p - region.start_aligned) <= region.total_size;
-+# define dh_alias_env ptr
+ }
- # define dh_ctype_env CPUArchState *
-+# define dh_typecode_env dh_typecode_ptr
+ #ifdef CONFIG_DEBUG_TCG
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
      }
      qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 -    tcg_ctx->code_gen_buffer = buf;
 -    tcg_ctx->code_gen_buffer_size = size;
 +    region.start_aligned = buf;
 +    region.total_size = size;
      return true;
  }
  #elif defined(_WIN32)
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
          return false;
      }
 -    tcg_ctx->code_gen_buffer = buf;
 -    tcg_ctx->code_gen_buffer_size = size;
 +    region.start_aligned = buf;
 +    region.total_size = size;
      return true;
  }
  #else
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
      /* Request large pages for the buffer.  */
      qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 -    tcg_ctx->code_gen_buffer = buf;
 -    tcg_ctx->code_gen_buffer_size = size;
 +    region.start_aligned = buf;
 +    region.total_size = size;
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
          return false;
      }
      /* The size of the mapping may have been adjusted. */
 -    size = tcg_ctx->code_gen_buffer_size;
 -    buf_rx = tcg_ctx->code_gen_buffer;
 +    buf_rx = region.start_aligned;
 +    size = region.total_size;
  #endif
- /* We can't use glue() here because it falls foul of C preprocessor
+     buf_rw = qemu_memfd_alloc("tcg-jit", size, 0, &fd, errp);
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
  #define dh_typecode_i64 4
  #define dh_typecode_s64 5
  #define dh_typecode_ptr 6
 -#define dh_typecode(t) glue(dh_typecode_, dh_alias(t))
 +#define dh_typecode_int dh_typecode_s32
 +#define dh_typecode_f16 dh_typecode_i32
 +#define dh_typecode_f32 dh_typecode_i32
 +#define dh_typecode_f64 dh_typecode_i64
 +#define dh_typecode_cptr dh_typecode_ptr
 +#define dh_typecode(t) dh_typecode_##t
  #define dh_callflag_i32  0
 -#define dh_callflag_s32  0
 -#define dh_callflag_int  0
  #define dh_callflag_i64  0
 -#define dh_callflag_s64  0
 -#define dh_callflag_f16  0
 -#define dh_callflag_f32  0
 -#define dh_callflag_f64  0
  #define dh_callflag_ptr  0
 -#define dh_callflag_cptr dh_callflag_ptr
  #define dh_callflag_void 0
  #define dh_callflag_noreturn TCG_CALL_NO_RETURN
  #define dh_callflag(t) glue(dh_callflag_, dh_alias(t))
 diff --git a/target/hppa/helper.h b/target/hppa/helper.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/hppa/helper.h
 +++ b/target/hppa/helper.h
@@ -XXX,XX +XXX,XX @@
  #if TARGET_REGISTER_BITS == 64
  # define dh_alias_tr     i64
 +# define dh_typecode_tr  dh_typecode_i64
  #else
  # define dh_alias_tr     i32
 +# define dh_typecode_tr  dh_typecode_i32
  #endif
- #define dh_ctype_tr      target_ureg
+     close(fd);
-diff --git a/target/i386/ops_sse_header.h b/target/i386/ops_sse_header.h
+-    tcg_ctx->code_gen_buffer = buf_rw;
-index XXXXXXX..XXXXXXX 100644
+-    tcg_ctx->code_gen_buffer_size = size;
---- a/target/i386/ops_sse_header.h
++    region.start_aligned = buf_rw;
-+++ b/target/i386/ops_sse_header.h
++    region.total_size = size;
-@@ -XXX,XX +XXX,XX @@
+     tcg_splitwx_diff = buf_rx - buf_rw;
- #define dh_ctype_Reg Reg *
- #define dh_ctype_ZMMReg ZMMReg *
+     /* Request large pages for the buffer and the splitwx.  */
- #define dh_ctype_MMXReg MMXReg *
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
-+#define dh_typecode_Reg dh_typecode_ptr
+         return false;
-+#define dh_typecode_ZMMReg dh_typecode_ptr
+     }
-+#define dh_typecode_MMXReg dh_typecode_ptr
+-    buf_rw = (mach_vm_address_t)tcg_ctx->code_gen_buffer;
- DEF_HELPER_3(glue(psrlw, SUFFIX), void, env, Reg, Reg)
++    buf_rw = (mach_vm_address_t)region.start_aligned;
- DEF_HELPER_3(glue(psraw, SUFFIX), void, env, Reg, Reg)
+     buf_rx = 0;
-diff --git a/target/m68k/helper.h b/target/m68k/helper.h
+     ret = mach_vm_remap(mach_task_self(),
-index XXXXXXX..XXXXXXX 100644
+                         &buf_rx,
---- a/target/m68k/helper.h
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
-+++ b/target/m68k/helper.h
+  */
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_4(cas2l_parallel, void, env, i32, i32, i32)
+ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
+ {
- #define dh_alias_fp ptr
+-    void *buf, *aligned, *end;
- #define dh_ctype_fp FPReg *
+-    size_t total_size;
-+#define dh_typecode_fp dh_typecode_ptr
+     size_t page_size;
+     size_t region_size;
- DEF_HELPER_3(exts32, void, env, fp, s32)
+-    size_t n_regions;
- DEF_HELPER_3(extf32, void, env, fp, f32)
+     size_t i;
-diff --git a/target/ppc/helper.h b/target/ppc/helper.h
+     bool ok;
-index XXXXXXX..XXXXXXX 100644
---- a/target/ppc/helper.h
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
-+++ b/target/ppc/helper.h
+                                splitwx, &error_fatal);
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_1(ftsqrt, TCG_CALL_NO_RWG_SE, i32, i64)
+     assert(ok);
- #define dh_alias_avr ptr
+-    buf = tcg_init_ctx.code_gen_buffer;
- #define dh_ctype_avr ppc_avr_t *
+-    total_size = tcg_init_ctx.code_gen_buffer_size;
-+#define dh_typecode_avr dh_typecode_ptr
+-    page_size = qemu_real_host_page_size;
+-    n_regions = tcg_n_regions(total_size, max_cpus);
- #define dh_alias_vsr ptr
+-
- #define dh_ctype_vsr ppc_vsr_t *
+-    /* The first region will be 'aligned - buf' bytes larger than the others */
-+#define dh_typecode_vsr dh_typecode_ptr
+-    aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
+-    g_assert(aligned < tcg_init_ctx.code_gen_buffer + total_size);
- DEF_HELPER_3(vavgub, void, avr, avr, avr)
+-
- DEF_HELPER_3(vavguh, void, avr, avr, avr)
+     /*
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(store_dbatu, void, env, i32, tl)
+      * Make region_size a multiple of page_size, using aligned as the start.
+      * As a result of this we might end up with a few extra pages at the end of
- #define dh_alias_fprp ptr
+      * the buffer; we will assign those to the last region.
- #define dh_ctype_fprp ppc_fprp_t *
+      */
-+#define dh_typecode_fprp dh_typecode_ptr
+-    region_size = (total_size - (aligned - buf)) / n_regions;
++    region.n = tcg_n_regions(region.total_size, max_cpus);
- DEF_HELPER_4(DADD, void, env, fprp, fprp, fprp)
++    page_size = qemu_real_host_page_size;
- DEF_HELPER_4(DADDQ, void, env, fprp, fprp, fprp)
++    region_size = region.total_size / region.n;
      region_size = QEMU_ALIGN_DOWN(region_size, page_size);
      /* A region must have at least 2 pages; one code, one guard */
      g_assert(region_size >= 2 * page_size);
 +    region.stride = region_size;
 +
 +    /* Reserve space for guard pages. */
 +    region.size = region_size - page_size;
 +    region.total_size -= page_size;
 +
 +    /*
 +     * The first region will be smaller than the others, via the prologue,
 +     * which has yet to be allocated.  For now, the first region begins at
 +     * the page boundary.
 +     */
 +    region.after_prologue = region.start_aligned;
      /* init the region struct */
      qemu_mutex_init(&region.lock);
 -    region.n = n_regions;
 -    region.size = region_size - page_size;
 -    region.stride = region_size;
 -    region.after_prologue = buf;
 -    region.start_aligned = aligned;
 -    /* page-align the end, since its last page will be a guard page */
 -    end = QEMU_ALIGN_PTR_DOWN(buf + total_size, page_size);
 -    /* account for that last guard page */
 -    end -= page_size;
 -    total_size = end - aligned;
 -    region.total_size = total_size;
      /*
       * Set guard pages in the rw buffer, as that's the one into which
 --
 .25.1

-[PULL 2/3] accel/tcg/cpu-exec: Fix precise single-stepping after interrupt
+Deleted patch
-From: Luc Michel <lmichel@kalray.eu>
-In some cases, cpu->exit_request can be false after handling the
-interrupt, leading to another TB being executed instead of returning
-to the main loop.
-Fix this by returning true unconditionally when in single-step mode.
-Fixes: ba3c35d9c402 ("tcg/cpu-exec: precise single-stepping after an interrupt")
-Signed-off-by: Luc Michel <lmichel@kalray.eu>
-Message-Id: <20220214132656.11397-1-lmichel@kalray.eu>
-[rth: Unlock iothread mutex; simplify indentation]
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- accel/tcg/cpu-exec.c | 8 ++++++--
-file changed, 6 insertions(+), 2 deletions(-)
-diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cpu-exec.c
-+++ b/accel/tcg/cpu-exec.c
-@@ -XXX,XX +XXX,XX @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
-                  * raised when single-stepping so that GDB doesn't miss the
-                  * next instruction.
-                  */
--                cpu->exception_index =
--                    (cpu->singlestep_enabled ? EXCP_DEBUG : -1);
-+                if (unlikely(cpu->singlestep_enabled)) {
-+                    cpu->exception_index = EXCP_DEBUG;
-+                    qemu_mutex_unlock_iothread();
-+                    return true;
-+                }
-+                cpu->exception_index = -1;
-                 *last_tb = NULL;
-             }
-             /* The target hook may have updated the 'cpu->interrupt_request';
---
-.25.1

-[PULL 3/3] tcg/tci: Use tcg_out_ldst in tcg_out_st
+Deleted patch
-The tcg_out_ldst helper will handle out-of-range offsets.
-We haven't actually encountered any, since we haven't run
-across the assert within tcg_out_op_rrs, but an out-of-range
-offset would not be impossible in future.
-Fixes: 65089889183 ("tcg/tci: Change encoding to uint32_t units")
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- tcg/tci/tcg-target.c.inc | 5 ++---
-file changed, 2 insertions(+), 3 deletions(-)
-diff --git a/tcg/tci/tcg-target.c.inc b/tcg/tci/tcg-target.c.inc
-index XXXXXXX..XXXXXXX 100644
---- a/tcg/tci/tcg-target.c.inc
-+++ b/tcg/tci/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc,
- static void tcg_out_st(TCGContext *s, TCGType type, TCGReg val, TCGReg base,
-                        intptr_t offset)
- {
--    stack_bounds_check(base, offset);
-     switch (type) {
-     case TCG_TYPE_I32:
--        tcg_out_op_rrs(s, INDEX_op_st_i32, val, base, offset);
-+        tcg_out_ldst(s, INDEX_op_st_i32, val, base, offset);
-         break;
- #if TCG_TARGET_REG_BITS == 64
-     case TCG_TYPE_I64:
--        tcg_out_op_rrs(s, INDEX_op_st_i64, val, base, offset);
-+        tcg_out_ldst(s, INDEX_op_st_i64, val, base, offset);
-         break;
- #endif
-     default:
---
-.25.1

The following changes since commit 00483d386901173e84c7965f9f0d678791a75e01:

Merge remote-tracking branch 'remotes/shorne/tags/or1k-pull-request' into staging (2022-02-28 11:27:16 +0000)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220228

for you to fetch changes up to 2ccf40f00e3f29d85d4ff48a9a98870059002290:

tcg/tci: Use tcg_out_ldst in tcg_out_st (2022-02-28 08:04:10 -1000)

----------------------------------------------------------------
Fix typecode generation for tcg helpers
Fix single stepping into interrupt handlers
Fix out-of-range offsets for stores in TCI

----------------------------------------------------------------
Luc Michel (1):
      accel/tcg/cpu-exec: Fix precise single-stepping after interrupt

Richard Henderson (2):
      tcg: Remove dh_alias indirection for dh_typecode
      tcg/tci: Use tcg_out_ldst in tcg_out_st

The dh_alias redirect is intended to handle TCG types as distinguished
from C types.  TCG does not distinguish signed int from unsigned int,
because they are the same size.  However, we need to retain this
distinction for dh_typecode, lest we fail to extend abi types properly
for the host call parameters.

This bug was detected when running the 'arm' emulator on an s390
system. The s390 uses TCG_TARGET_EXTEND_ARGS which triggers code
in tcg_gen_callN to extend 32 bit values to 64 bits; the incorrect
sign data in the typemask for each argument caused the values to be
extended as unsigned values.

This simple program exhibits the problem:

static volatile int num = -9;
	static volatile int den = -5;
	int main(void)
	{
		int quo = num / den;
		printf("num %d den %d quo %d\n", num, den, quo);
		exit(0);
	}

When run on the broken qemu, this results in:

num -9 den -5 quo 0

The correct result is:

num -9 den -5 quo 1

Fixes: 7319d83a735 ("tcg: Combine dh_is_64bit and dh_is_signed to dh_typecode")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/876
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reported-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Tested-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/helper-head.h   | 19 ++++++++++---------
 target/hppa/helper.h         |  2 ++
 target/i386/ops_sse_header.h |  3 +++
 target/m68k/helper.h         |  1 +
 target/ppc/helper.h          |  3 +++
 5 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/include/exec/helper-head.h b/include/exec/helper-head.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/helper-head.h
+++ b/include/exec/helper-head.h
@@ -XXX,XX +XXX,XX @@
 # ifdef TARGET_LONG_BITS
 #  if TARGET_LONG_BITS == 32
 #   define dh_alias_tl i32
+#   define dh_typecode_tl dh_typecode_i32
 #  else
 #   define dh_alias_tl i64
+#   define dh_typecode_tl dh_typecode_i64
 #  endif
 # endif
-# define dh_alias_env ptr
 # define dh_ctype_tl target_ulong
+# define dh_alias_env ptr
 # define dh_ctype_env CPUArchState *
+# define dh_typecode_env dh_typecode_ptr
 #endif
 
 /* We can't use glue() here because it falls foul of C preprocessor
@@ -XXX,XX +XXX,XX @@
 #define dh_typecode_i64 4
 #define dh_typecode_s64 5
 #define dh_typecode_ptr 6
-#define dh_typecode(t) glue(dh_typecode_, dh_alias(t))
+#define dh_typecode_int dh_typecode_s32
+#define dh_typecode_f16 dh_typecode_i32
+#define dh_typecode_f32 dh_typecode_i32
+#define dh_typecode_f64 dh_typecode_i64
+#define dh_typecode_cptr dh_typecode_ptr
+#define dh_typecode(t) dh_typecode_##t
 
 #define dh_callflag_i32  0
-#define dh_callflag_s32  0
-#define dh_callflag_int  0
 #define dh_callflag_i64  0
-#define dh_callflag_s64  0
-#define dh_callflag_f16  0
-#define dh_callflag_f32  0
-#define dh_callflag_f64  0
 #define dh_callflag_ptr  0
-#define dh_callflag_cptr dh_callflag_ptr
 #define dh_callflag_void 0
 #define dh_callflag_noreturn TCG_CALL_NO_RETURN
 #define dh_callflag(t) glue(dh_callflag_, dh_alias(t))
diff --git a/target/hppa/helper.h b/target/hppa/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/hppa/helper.h
+++ b/target/hppa/helper.h
@@ -XXX,XX +XXX,XX @@
 #if TARGET_REGISTER_BITS == 64
 # define dh_alias_tr     i64
+# define dh_typecode_tr  dh_typecode_i64
 #else
 # define dh_alias_tr     i32
+# define dh_typecode_tr  dh_typecode_i32
 #endif
 #define dh_ctype_tr      target_ureg
 
diff --git a/target/i386/ops_sse_header.h b/target/i386/ops_sse_header.h
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/ops_sse_header.h
+++ b/target/i386/ops_sse_header.h
@@ -XXX,XX +XXX,XX @@
 #define dh_ctype_Reg Reg *
 #define dh_ctype_ZMMReg ZMMReg *
 #define dh_ctype_MMXReg MMXReg *
+#define dh_typecode_Reg dh_typecode_ptr
+#define dh_typecode_ZMMReg dh_typecode_ptr
+#define dh_typecode_MMXReg dh_typecode_ptr
 
 DEF_HELPER_3(glue(psrlw, SUFFIX), void, env, Reg, Reg)
 DEF_HELPER_3(glue(psraw, SUFFIX), void, env, Reg, Reg)
diff --git a/target/m68k/helper.h b/target/m68k/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/helper.h
+++ b/target/m68k/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_4(cas2l_parallel, void, env, i32, i32, i32)
 
 #define dh_alias_fp ptr
 #define dh_ctype_fp FPReg *
+#define dh_typecode_fp dh_typecode_ptr
 
 DEF_HELPER_3(exts32, void, env, fp, s32)
 DEF_HELPER_3(extf32, void, env, fp, f32)
diff --git a/target/ppc/helper.h b/target/ppc/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/helper.h
+++ b/target/ppc/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_1(ftsqrt, TCG_CALL_NO_RWG_SE, i32, i64)
 
 #define dh_alias_avr ptr
 #define dh_ctype_avr ppc_avr_t *
+#define dh_typecode_avr dh_typecode_ptr
 
 #define dh_alias_vsr ptr
 #define dh_ctype_vsr ppc_vsr_t *
+#define dh_typecode_vsr dh_typecode_ptr
 
 DEF_HELPER_3(vavgub, void, avr, avr, avr)
 DEF_HELPER_3(vavguh, void, avr, avr, avr)
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_3(store_dbatu, void, env, i32, tl)
 
 #define dh_alias_fprp ptr
 #define dh_ctype_fprp ppc_fprp_t *
+#define dh_typecode_fprp dh_typecode_ptr
 
 DEF_HELPER_4(DADD, void, env, fprp, fprp, fprp)
 DEF_HELPER_4(DADDQ, void, env, fprp, fprp, fprp)
-- 
2.25.1

From: Luc Michel <lmichel@kalray.eu>

In some cases, cpu->exit_request can be false after handling the
interrupt, leading to another TB being executed instead of returning
to the main loop.

Fix this by returning true unconditionally when in single-step mode.

Fixes: ba3c35d9c402 ("tcg/cpu-exec: precise single-stepping after an interrupt")
Signed-off-by: Luc Michel <lmichel@kalray.eu>
Message-Id: <20220214132656.11397-1-lmichel@kalray.eu>
[rth: Unlock iothread mutex; simplify indentation]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
                  * raised when single-stepping so that GDB doesn't miss the
                  * next instruction.
                  */
-                cpu->exception_index =
-                    (cpu->singlestep_enabled ? EXCP_DEBUG : -1);
+                if (unlikely(cpu->singlestep_enabled)) {
+                    cpu->exception_index = EXCP_DEBUG;
+                    qemu_mutex_unlock_iothread();
+                    return true;
+                }
+                cpu->exception_index = -1;
                 *last_tb = NULL;
             }
             /* The target hook may have updated the 'cpu->interrupt_request';
-- 
2.25.1

The tcg_out_ldst helper will handle out-of-range offsets.
We haven't actually encountered any, since we haven't run
across the assert within tcg_out_op_rrs, but an out-of-range
offset would not be impossible in future.

Fixes: 65089889183 ("tcg/tci: Change encoding to uint32_t units")
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/tci/tcg-target.c.inc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tcg/tci/tcg-target.c.inc b/tcg/tci/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tci/tcg-target.c.inc
+++ b/tcg/tci/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void tcg_out_op(TCGContext *s, TCGOpcode opc,
 static void tcg_out_st(TCGContext *s, TCGType type, TCGReg val, TCGReg base,
                        intptr_t offset)
 {
-    stack_bounds_check(base, offset);
     switch (type) {
     case TCG_TYPE_I32:
-        tcg_out_op_rrs(s, INDEX_op_st_i32, val, base, offset);
+        tcg_out_ldst(s, INDEX_op_st_i32, val, base, offset);
         break;
 #if TCG_TARGET_REG_BITS == 64
     case TCG_TYPE_I64:
-        tcg_out_op_rrs(s, INDEX_op_st_i64, val, base, offset);
+        tcg_out_ldst(s, INDEX_op_st_i64, val, base, offset);
         break;
 #endif
     default:
-- 
2.25.1

V2 fixes an error in patch 22 wrt MacOS.
It's a shame we don't have public CI for that.

The following changes since commit 894fc4fd670aaf04a67dc7507739f914ff4bacf2:

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging (2021-06-11 09:21:48 +0100)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20210613

for you to fetch changes up to a5a8b84772e13066c6c45f480cc5b5312bbde08e:

docs/devel: Explain in more detail the TB chaining mechanisms (2021-06-13 17:42:40 -0700)

----------------------------------------------------------------
Clean up code_gen_buffer allocation.
Add tcg_remove_ops_after.
Fix tcg_constant_* documentation.
Improve TB chaining documentation.
Fix float32_exp2.
Fix arm tcg_out_op function signature.

----------------------------------------------------------------
Jose R. Ziviani (1):
      tcg/arm: Fix tcg_out_op function signature

Luis Pires (1):
      docs/devel: Explain in more detail the TB chaining mechanisms

Richard Henderson (32):
      meson: Split out tcg/meson.build
      meson: Split out fpu/meson.build
      tcg: Re-order tcg_region_init vs tcg_prologue_init
      tcg: Remove error return from tcg_region_initial_alloc__locked
      tcg: Split out tcg_region_initial_alloc
      tcg: Split out tcg_region_prologue_set
      tcg: Split out region.c
      accel/tcg: Inline cpu_gen_init
      accel/tcg: Move alloc_code_gen_buffer to tcg/region.c
      accel/tcg: Rename tcg_init to tcg_init_machine
      tcg: Create tcg_init
      accel/tcg: Merge tcg_exec_init into tcg_init_machine
      accel/tcg: Use MiB in tcg_init_machine
      accel/tcg: Pass down max_cpus to tcg_init
      tcg: Introduce tcg_max_ctxs
      tcg: Move MAX_CODE_GEN_BUFFER_SIZE to tcg-target.h
      tcg: Replace region.end with region.total_size
      tcg: Rename region.start to region.after_prologue
      tcg: Tidy tcg_n_regions
      tcg: Tidy split_cross_256mb
      tcg: Move in_code_gen_buffer and tests to region.c
      tcg: Allocate code_gen_buffer into struct tcg_region_state
      tcg: Return the map protection from alloc_code_gen_buffer
      tcg: Sink qemu_madvise call to common code
      util/osdep: Add qemu_mprotect_rw
      tcg: Round the tb_size default from qemu_get_host_physmem
      tcg: Merge buffer protection and guard page protection
      tcg: When allocating for !splitwx, begin with PROT_NONE
      tcg: Move tcg_init_ctx and tcg_ctx from accel/tcg/
      tcg: Introduce tcg_remove_ops_after
      tcg: Fix documentation for tcg_constant_* vs tcg_temp_free_*
      softfloat: Fix tp init in float32_exp2

Do not mess around with setting values within tcg_init_ctx.
Put the values into 'region' directly, which is where they
will live for the lifetime of the program.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/region.c | 64 ++++++++++++++++++++++------------------------------
 1 file changed, 27 insertions(+), 37 deletions(-)

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static size_t tree_size;
 
 bool in_code_gen_buffer(const void *p)
 {
-    const TCGContext *s = &tcg_init_ctx;
     /*
      * Much like it is valid to have a pointer to the byte past the
      * end of an array (so long as you don't dereference it), allow
      * a pointer to the byte past the end of the code gen buffer.
      */
-    return (size_t)(p - s->code_gen_buffer) <= s->code_gen_buffer_size;
+    return (size_t)(p - region.start_aligned) <= region.total_size;
 }
 
 #ifdef CONFIG_DEBUG_TCG
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
     }
     qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 
-    tcg_ctx->code_gen_buffer = buf;
-    tcg_ctx->code_gen_buffer_size = size;
+    region.start_aligned = buf;
+    region.total_size = size;
     return true;
 }
 #elif defined(_WIN32)
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
         return false;
     }
 
-    tcg_ctx->code_gen_buffer = buf;
-    tcg_ctx->code_gen_buffer_size = size;
+    region.start_aligned = buf;
+    region.total_size = size;
     return true;
 }
 #else
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
     /* Request large pages for the buffer.  */
     qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 
-    tcg_ctx->code_gen_buffer = buf;
-    tcg_ctx->code_gen_buffer_size = size;
+    region.start_aligned = buf;
+    region.total_size = size;
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
         return false;
     }
     /* The size of the mapping may have been adjusted. */
-    size = tcg_ctx->code_gen_buffer_size;
-    buf_rx = tcg_ctx->code_gen_buffer;
+    buf_rx = region.start_aligned;
+    size = region.total_size;
 #endif
 
     buf_rw = qemu_memfd_alloc("tcg-jit", size, 0, &fd, errp);
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
 #endif
 
     close(fd);
-    tcg_ctx->code_gen_buffer = buf_rw;
-    tcg_ctx->code_gen_buffer_size = size;
+    region.start_aligned = buf_rw;
+    region.total_size = size;
     tcg_splitwx_diff = buf_rx - buf_rw;
 
     /* Request large pages for the buffer and the splitwx.  */
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
         return false;
     }
 
-    buf_rw = (mach_vm_address_t)tcg_ctx->code_gen_buffer;
+    buf_rw = (mach_vm_address_t)region.start_aligned;
     buf_rx = 0;
     ret = mach_vm_remap(mach_task_self(),
                         &buf_rx,
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
  */
 void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
 {
-    void *buf, *aligned, *end;
-    size_t total_size;
     size_t page_size;
     size_t region_size;
-    size_t n_regions;
     size_t i;
     bool ok;
 
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
                                splitwx, &error_fatal);
     assert(ok);
 
-    buf = tcg_init_ctx.code_gen_buffer;
-    total_size = tcg_init_ctx.code_gen_buffer_size;
-    page_size = qemu_real_host_page_size;
-    n_regions = tcg_n_regions(total_size, max_cpus);
-
-    /* The first region will be 'aligned - buf' bytes larger than the others */
-    aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
-    g_assert(aligned < tcg_init_ctx.code_gen_buffer + total_size);
-
     /*
      * Make region_size a multiple of page_size, using aligned as the start.
      * As a result of this we might end up with a few extra pages at the end of
      * the buffer; we will assign those to the last region.
      */
-    region_size = (total_size - (aligned - buf)) / n_regions;
+    region.n = tcg_n_regions(region.total_size, max_cpus);
+    page_size = qemu_real_host_page_size;
+    region_size = region.total_size / region.n;
     region_size = QEMU_ALIGN_DOWN(region_size, page_size);
 
     /* A region must have at least 2 pages; one code, one guard */
     g_assert(region_size >= 2 * page_size);
+    region.stride = region_size;
+
+    /* Reserve space for guard pages. */
+    region.size = region_size - page_size;
+    region.total_size -= page_size;
+
+    /*
+     * The first region will be smaller than the others, via the prologue,
+     * which has yet to be allocated.  For now, the first region begins at
+     * the page boundary.
+     */
+    region.after_prologue = region.start_aligned;
 
     /* init the region struct */
     qemu_mutex_init(&region.lock);
-    region.n = n_regions;
-    region.size = region_size - page_size;
-    region.stride = region_size;
-    region.after_prologue = buf;
-    region.start_aligned = aligned;
-    /* page-align the end, since its last page will be a guard page */
-    end = QEMU_ALIGN_PTR_DOWN(buf + total_size, page_size);
-    /* account for that last guard page */
-    end -= page_size;
-    total_size = end - aligned;
-    region.total_size = total_size;
 
     /*
      * Set guard pages in the rw buffer, as that's the one into which
-- 
2.25.1